Headline
Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021
Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021. “The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News
Cyber Espionage / Critical Infrastructure
Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021.
“The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
The cybersecurity firm did not reveal the country that was targeted, but said it found evidence to suggest that the malicious cyber activity may have started as far back as 2020.
The attacks also targeted an unnamed services company that catered to the telecoms sector and a university in another Asian country, it added.
The choice of tools used in this campaign overlaps with other missions conducted by Chinese espionage groups like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent years.
This includes custom backdoors tracked as COOLCLIENT, QuickHeal, and RainyDay that come equipped with capabilities to capture sensitive data and establish communication with a command-and-control (C2) server.
While the exact initial access pathway used to breach the targets is presently unknown, the campaign is also notable for deploying port scanning tools and conducting credential theft through the dumping of Windows Registry hives.
The fact that the tooling has connections to three different adversarial collectives has raised several possibilities: The attacks are being conducted independently of each other, a single threat actor is using tools acquired from other groups, or diverse actors are collaborating on a single campaign.
Also unclear at this stage is the primary motive behind the intrusions, although Chinese threat actors have a history of targeting the telecoms sector across the world.
In November 2023, Kaspersky revealed a ShadowPad malware campaign targeting one of the national telecom companies of Pakistan by exploiting known security flaws in Microsoft Exchange Server (CVE-2021-26855 aka ProxyLogon).
“The attackers may have been gathering intelligence on the telecoms sector in that country,” Symantec postulated. “Eavesdropping is another possibility. Alternatively, the attackers may have been attempting to build a disruptive capability against critical infrastructure in that country.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.
By Waqas Going by the name of Witchetty; the hacker group is targeting countries in Africa and the Middle East. This is a post from HackRead.com Read the original post: Chinese Hackers Hiding Malware in Windows Logo
APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.
By Nate Pors and Terryn Valikodath. Executive summary In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021. Understandi...
The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include
This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.
We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.
Update March 15, 2021: If you have not yet patched, and have not applied the mitigations referenced below, a one-click tool, the Exchange On-premises Mitigation Tool is now our recommended path to mitigate until you can patch. Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version.
On March 2nd, we released several security updates for Microsoft Exchange Server to address vulnerabilities that are being used in ongoing attacks. Due to the critical nature of these vulnerabilities, we recommend that customers protect their organizations by applying the patches immediately to affected systems. The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Server 2010 is also being updated for defense-in-depth purposes.